With a set of results sure set to send Apple fanboys howling at the Moon in disbelief, a recent study claims that Macs are far more insecure than Windows PCs, due partly to the attitude of its users and the relative obscurity of the platform.
An Eset survey conducted last year showed that when Apple users fell for phishing crime they tended to lose a load more dosh than your average Windows PC user, mainly because the majority of cyber crime victims are targeted via social engineering attacks rather than more traditional viruses (see graphic below).
Although we couldn’t help noticing that the survey was made by a software developer with a new Mac anti-virus program in the wings, other experts were quick to comment on the perception that Macs were immune to attacks.
“If you look at the number of published vulnerabilities in software and the number of users and compare Windows versus Mac OS you will discover that Mac OS has far more published vulnerabilities per user than Windows does so I think the data pretty much speaks for itself,” said the curiously named 3ric Johanson, a security researcher, quoted in CNet.
Tyler Reguly, a senior security research engineer with nCircle, also commented on the presumption that Macs are inherently safer than PCs:
If you believe the hype and the flashy commercials the answer would be Mac. But if you take a look at the two platforms, and the mindsets of the companies behind them then the PC wins hands down.”
The Mac platform is also generally built with more exploitable vulnerabilities already on a system when it is delivered.
Nitesh Dhanjani, researcher and consultant broadly supported this view:
I realize the market share argument is a cliche, but I feel it is true–OS X wins from a security perspective because it has a lower market share. Windows Vista and Windows 7 have some impressive security controls that are not present in OS X. If we were to flip the market share, we would see a lot more exploitation in the wild. More specifically, browser security is one of the more important items to consider today from a risk perspective.
I know Internet Explorer has had a considerable share of vulnerabilities, but the Safari Web browser also has a lousy reputation in the security community–it almost seems a child’s play to locate an exploitable condition in Safari. Apple really needs to get its act together with Safari since OS X is enjoying a healthy market share climb at the moment.
Paul Kocher, president and chief scientist with Cryptography Research, found himself sat firmly on the fence:
The fair answer is that with the latest versions of each operating system there isn’t a compelling security reason to pick one or the other…Both have security bugs. Both need patches. Both can be broken if someone finds a zero-day exploit
However, Jeremiah Grossman, founder and chief technology officer at WhiteHat Security still reckoned Macs were the way to go:
To ask that question from a consumer’s perspective you probably should be using the word ‘safe’ rather than ‘secure’; two completely different things. ‘Secure’ is a supermax prison. ‘Safe’ is a playground in suburbia. Follow?
“Macs may or may not be technically more secure than PCs, but that is irrelevant if NOT getting hacked is most important to you. In the current threat climate, Macs do not get attacked nearly as often as PCs. So in that context, Macs are safer for consumers.
More reading:
In their words: Experts weigh in on Mac vs. PC security [CNet]
My Computer is More Secure Than Yours, or Not- the PC vs. Mac Security Debate [NewNewInternet]
Apple’s Mac OS X is less secure than Windows [Inquirer]
Once Upon a Cybercrime… [ESET survey]
Social engineering methods have nothing to do with the platform and everything to do with the user.
It’s a bit like making safer cars makes drivers more complacent so they have more accidents. I’m not saying Macs are safer, but they are perceived to be by their users.
“I’m not saying Macs are safer, but they are perceived to be by their users.”
Which already makes it a big time vuln…
Since Mac users “buy” the whole Apple marketing story, they probably are easier to social engineer 😉